hackers seem to like base64 (or eval) encoding their php commands

all-find-potential-malware-occurences.sh

#!/bin/bash
# This will find ANY "base64" or "eval(" or "eval)" which are potentially a malware and write all output in detections.txt
# WARNING : This bash script need to be executed in the "infected" folder, like /var/www/
find . -type f -exec grep -Hn "base64\|eval(\|eval)" '{}' \; &> detections.txt

detections.txt

test_find/test.js:1:eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));
test_find/test.js:2:e=(eval);
test_find/test.tpl:1:eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));
test_find/test.php:1:eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));

files_for_the_test

root@test:/var/www# ll test_detection/
total 12
-rw-r--r-- 1 root root 74 avril  6 00:45 test.js
-rw-r--r-- 1 root root 64 avril  6 00:14 test.php
-rw-r--r-- 1 root root 64 avril  6 00:14 test.tpl
root@test:/var/www# cat test_detection/test.js
eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));
e=(eval);
root@test:/var/www# cat test_detection/test.php
eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));
root@test:/var/www# cat test_detection/test.tpl
eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));